Ok, let's go for a short howto.This is just the start of the journey since right now, the best we could achieve is a switch, not a router.

Why we are doing this? Short answer: just for fun, long one.. actually if the VIM provides enough bandwidth to be used on a DSL WAN then this could be a great base to build an OpenVPN endpoint without the CPU/RAM constraints from a typical consumer grade router.

Let's set the goal: build a basic router with the WAN port on the VIM ethernet interface, the LAN port(s) will be supported by the VIM wireless interface operating in access point mode (AP).

From a logical point of view the LAN will operate on the 10.10.0.x address space and a local DHPCP server will manage the local clients. In order to route packets between the WAN interface and the LAN we need to use the linux kernel netfilter subsystem and specifically the NAT/masquerading function and this is the first problem we have to solve.

Assuming we can overcome this then it's a matter of the bandwith we can achieve between LAN and WAN, if we are above 20-30 Mb/s then the whole thing becomes useful and we could integrate the VPN client and a firewall.

at this point you should have internet access on the VIM, you can test it pinging something, then we need some support packages:

apt updateapt upgradeapt install openssh-server (this is optional but I just prefer to do the rest on my laptop on a remote ssh seession)apt install man-dbapt install nano

now we need to enable some additional repository for the packages we actually need, you can use the editor "nano" you just installed so run:

nano /etc/apt/sources.list

in this file you want to uncomment (remove the # in the first column) the "universe" repositories (it's in more than one line) where there are the packages we need for the next steps. When done save the file and run the following commands to reload the repositories and install everything:

the first one tells the kernel to enable the routing and the second tells the kernel netfilter subsystem how to actually manage the routing between the LAN and the WAN (we need address translation since on the LAN we are using IPs from a not public range).

The problem here is that "iptables -t nat" fails complaing that the NAT is not available from the kernel.

Looking in the VIM filestem under /lib/modules/ I see very few modules are there. I do not have the full config file for the released VIM 4.9 kernel but at this point I understand this is how the kernel was configured.

Using which network/netmask is eth0 itself being 'connected to the internet'? (a) Is it doing PPPOE via a modem that connects to the internet? (b) Does it have a 192.168.c.d/24 -style address/subnet?In case of (b) would it not be possible to bridge eth0 and wlan0?Then you do not need NAT behind NAT and 2 DHCP servers (each one for each subnet).In short, then you do not need 10.10.0.0/16.

at this point the clients on the VIM wifi are managed by the DSL modem/router and the can reach the internet.

Unfortunately this does not suit the original goal of building a combo router/VPN client but we can use it as a way to test the VIM performances in AP mode.

On this topic I would add some info, the performance of the VIM wifi acting as AP are in several way surprising. On one hand it is a feature the VIM wifi can work out of the box with hostapd and, with the switch setup above, the bandwidth available to a client on the VIM wifi from speedtest.net is about 19-20 Mb/s vs. 23-24 Mb/s when the client is connected to the DSL AP wifi.

The performance drop seems to be related to a quite high ping time to the hostapd managed AP in the VIM. Let me explain, with a laptop connected as client to the VIM wifi in AP mode we have:

ping 10.10.0.1 about 20 ms (average)ping -f 10.10.0.1 on the other hand reports a much faster 3-4 ms avg.

For reference, the same laptop connected as client to the DSL wifi gets an average ping time of 1-2 ms to the DSL wifi AP.

This results are interesting, the 20 ms ping is quite bad for a single hop, but this seems to change for the better when the traffic grows (the -f options "floods" the target with as much packets as possible).

On the internet some users are reporting similar issues (either on x86 and ARM) with hostapd and the suggested fix is to disable the wifi power save mode, this can be checked with:

iw dev wlan0 get power_save

the VIM reported it as enabled and it can be disabled with:

iw dev wlan0 set power_save off

unfortunately the poor performance for the "standard" ping was not much affected so we may need some specific knowledge about the AP6255.

Any suggestion is welcome and I hope someone can have a look on this when working on the next kernel

unfortunately the poor performance for the "standard" ping was not much affected so we may need some specific knowledge about the AP6255.

I have huge lag when using WiFi with mainline kernel, AP6255 is something what RPi3 uses to. There is discussion ongoing in linux-amlogic mailing list. So it could be related!

Heiner Kallweit:Lagging is a quite frequent issue with WiFi and can have very different reasons.I'm not sure we can blame the SDIO host driver for this in the case here.E.g. RPi3 uses the same brcmfmac driver with other SDIO host driver and thereare also lot of complaints about poor Wifi performance.

so it could either be a driver issue or an hw limit, I hope the guys working on the kernel development can improve this

-I tested the 5 GHz band on the VIM with hostapd/kernel 4.9 and it works. With the /etc/hostapd/hostapd.conf below and VIM bridging his wifi with the AP LAN a client on the VIM wifi reports the same bandwith from speedtest.net as it gets when connected to the DSL wifi (around 25 Mb/s)

so now it's a matter of waiting for the next kernel release or use the one built by @numbqqI am new to u-boot so excuse me for this question, can I update only the kernel image on the VIM without using the serial interface, mine is still in some post office..

I agree: if one wants to combine with some sort of (transparent?) VPN then double dhcp/nat might need a private 10.0/16 net behind a 192.168.c/24 one. But myself I think I want to go minimal way and just only provide access point functionality. I also feel VPN is end user responsability. Thanks for the hints howto bridge L2, I +/- knew already how. So I am now challenged to just build a minimal amlogic AP (perhaps gentoo). Client connects ISO L1 to WiFI, box bridges L2 to ethernet, and done. No ISO L3 (apart from preferably one IP address on eth for switch management) involved. Of course the device should (but linux can) do L2 spanning tree (and hopefully not be configured as root). I think in terms of required resources and performance, such simple device would be great.

on Khadas Vim Pro (activated multiboot)(to activate in factory android go to update settings and load autoupdate zip from sd card, copy kvim.dtb to root folder and rename it to dtb.img, if you do not rename the standard kernel is used. if satisfied move install to emmc with install.sh in /root directory.

connect usb keyboard and hdmi monitor or serial uart adapter.

root
1234

create sudo user

sudo apt-get install ssh

now you can reboot and login. find ip number with advanced ip scanner or look into the client list of your dsl-router.

su

start armbian-config and set your time zone(for proper line drawing, in putty go to settings/translations and iso latin character set)